Splunk Enterprise Security

Cisco ACI Add-on for Splunk Enterprise: What CIM Module data sets does are in compliance for each sourcetype?

guarisma
Contributor

The Cisco ACI Add-on for Splunk Enterprise provides these source types:

cisco:apic:health
cisco:apic:stats
cisco:apic:class
cisco:apic:authentication

And is Common Information Model (CIM) 4.5, 4.4, 4.3, 4.2, 4.1 compliant.

I would like to know what CIM Datasets are in compliant for each source type?

I'm working with Splunk Enterprise Security and which to know what value can Cisco ACI Add-on for Splunk Enterprise can bring to it.

0 Karma
1 Solution

guarisma
Contributor

From: "Nilay Shah -X (nilaysh - MBO PARTNERS INC at Cisco)"
Date: Thursday, January 26, 2017 at 11:32 AM
To: Igor Guarisma
Cc: "aci-splunk-app(mailer list)"
Subject: Re: What CIM Data Model data sets does each source type of the Cisco ACI Add-on compliant?

Hi Igor,

What you mentioned is correct! The sourcetype cisco:apic:authentication is compliant with CIM data models you listed out. All other sourcetypes/data models are custom built but follow the CIM guidelines for field names, field extractions, aliases, etc.

Additionally,

Source type | Description | CIM data model(s)
cisco:apic:health | Health scores of all entities in the fabric | Custom
cisco:apic:stats | Statistical data on packet flows, network communication, etc | Custom
cisco:apic:class | Class info such as Tenants, EPGs, BD's etc. | Custom
cisco:apic:authentication | Audit & access logs | Authentication, Network Session

I hope this information helps you decide on using Cisco ACI add-on for Enterprise Security app.
Let me know if you have any further questions.

Best Regards,
Nilay Shah.

View solution in original post

guarisma
Contributor

From: "Nilay Shah -X (nilaysh - MBO PARTNERS INC at Cisco)"
Date: Thursday, January 26, 2017 at 11:32 AM
To: Igor Guarisma
Cc: "aci-splunk-app(mailer list)"
Subject: Re: What CIM Data Model data sets does each source type of the Cisco ACI Add-on compliant?

Hi Igor,

What you mentioned is correct! The sourcetype cisco:apic:authentication is compliant with CIM data models you listed out. All other sourcetypes/data models are custom built but follow the CIM guidelines for field names, field extractions, aliases, etc.

Additionally,

Source type | Description | CIM data model(s)
cisco:apic:health | Health scores of all entities in the fabric | Custom
cisco:apic:stats | Statistical data on packet flows, network communication, etc | Custom
cisco:apic:class | Class info such as Tenants, EPGs, BD's etc. | Custom
cisco:apic:authentication | Audit & access logs | Authentication, Network Session

I hope this information helps you decide on using Cisco ACI add-on for Enterprise Security app.
Let me know if you have any further questions.

Best Regards,
Nilay Shah.

rpille_splunk
Splunk Employee
Splunk Employee

Hi Guarisma,

That add-on is provided by Cisco, so they're the ones providing the docs for it. The contact information for questions and support is in the Splunkbase details tab, at the bottom: https://splunkbase.splunk.com/app/1897/#/details

You can also probably infer the model mapping my examining the add-on's tags.conf and eventtypes.conf files and comparing the tags you see there to the CIM documentation.

Hope that helps!

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...